Dear support community,
I kindly like to ask for help regarding this topic:
My nagios core setup is configured to write performance-data to a file (/usr/local/pnp4nagios/var/service-perfdata).
This worked without any issues until release nagios-4.4.6
Since I updated to nagios-4.4.7, it is no longer possible to write any performance data.
nagios[3115]: Warning: File '/usr/local/pnp4nagios/var/service-perfdata' could not be opened - service performance data will not be written to file
With some tests I found out, that appearantly various mountpoints are (re-)mounted readonly within the environment of the nagios user, including /usr:
/dev/mapper/system-usr on /usr type ext4 (ro,relatime)
...
/dev/mapper/system-var on /var type ext4 (rw,relatime)
/dev/mapper/system-log on /var/log type ext4 (rw,relatime)
/dev/mapper/system-root on /bin type ext4 (ro,relatime)
/dev/mapper/system-root on /etc type ext4 (ro,relatime)
/dev/mapper/system-root on /lib type ext4 (ro,relatime)
/dev/mapper/system-root on /lib64 type ext4 (ro,relatime
...
It appears to be some hardening measure in the 4.4.7 release.
But this also effects a check script for readonly filesystems (check_ro_mounts), it always reports /usr mounted ro.
Since /usr is regular mounted rw, this is an undiserable behaviour.
Is there a possibility to define at least an exception for a specific directory to have it mounted rw, for example /usr/local/pnp4nagios/var/, within the env of the nagios user?
Nagios core readonly filesystem (userspace) in/since release 4.4.7
-
naguser_edu
- Posts: 3
- Joined: Tue May 21, 2024 2:58 am
Re: Nagios core readonly filesystem (userspace) in/since release 4.4.7
Thanks for reaching out @naguser_edu,
I don't believe Nagios Core would handle anything like that with mountpoints. The only instance I see of using mount in the Core codebase is mounting a RAMDISK. You should be able to change that mountpoint to rw with no problems.
Let me know if you have any other issues.
I don't believe Nagios Core would handle anything like that with mountpoints. The only instance I see of using mount in the Core codebase is mounting a RAMDISK. You should be able to change that mountpoint to rw with no problems.
Let me know if you have any other issues.
-
naguser_edu
- Posts: 3
- Joined: Tue May 21, 2024 2:58 am
Re: Nagios core readonly filesystem (userspace) in/since release 4.4.7
Dear danderson,
Thank you for your reply. I verified my testings, here are some more details:
The distribution is OpenSuSE Leap 15.5 with kernel 5.14.21-150500.55.62-default
First, the list of "normal" mountpoints don't even show some of the above mentioned (for example /bin, /etc/, /lib64)
mount |grep system
...
/dev/mapper/system-root on / type ext4 (rw,relatime)
/dev/mapper/system-usr on /usr type ext4 (rw,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=19098)
/dev/mapper/system-var on /var type ext4 (rw,relatime)
/dev/mapper/system-log on /var/log type ext4 (rw,relatime)
...
So I guess the mountpoints must be "modified" either by the system environment for users (this includes the nagios user) in general or specific by the nagios application environment for the nagios user. (sorry if use the wrong terms).
I just downgraded the nagios version without any other change:
zypper in --oldpackage nagios-4.4.6-bp154.1.35.x86_64.rpm nagios-www-4.4.6-bp154.1.35.x86_64.rpm nagios-contrib-4.4.6-bp154.1.35.x86_64.rpm
Repository-Daten werden geladen...
Installierte Pakete werden gelesen...
Paketabhängigkeiten werden aufgelöst...
Die folgenden 3 Pakete werden durch eine ältere Version ausgetauscht:
nagios nagios-contrib nagios-www
3 Pakete werden zurückgestuft.
Gesamtgröße des Downloads: 1,7 MiB. Bereits im Cache gespeichert: 0 B. Nach dem Vorgang werden 10,3 KiB freigegeben.
Backend: classic_rpmtrans
Continue? [j/n/v/...? zeigt alle Optionen] (j): j
Abrufen: nagios-4.4.6-bp154.1.35.x86_64 (Einfacher Cache für RPM-Dateien)
(1/3), 341,4 KiB
Abrufen: nagios-www-4.4.6-bp154.1.35.x86_64 (Einfacher Cache für RPM-Dateien) (2/3), 1,4 MiB
Abrufen: nagios-contrib-4.4.6-bp154.1.35.x86_64 (Einfacher Cache für RPM-Dateien) (3/3), 41,8 KiB
After the downgrade and the nagios restart, I injected again a "mount" command within the command_line for the
/usr/local/pnp4nagios/libexec/process_perfdata.pl --bulk=/usr/local/pnp4nagios/var/service-perfdata
As a result, the mountpoints are exactly the same as for the root user:
...
/dev/mapper/system-root on / type ext4 (rw,relatime)
/dev/mapper/system-usr on /usr type ext4 (rw,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=19098)
/dev/mapper/system-var on /var type ext4 (rw,relatime)
/dev/mapper/system-log on /var/log type ext4 (rw,relatime)
...
It appears to me that the readonly mountings for /usr, /etc, /bin, etc. within the environment/userspace of the nagios user are related to the nagios version 4.4.7.
Maybe it is realized in the code by a mechanism like fuser?
Thank you for your reply. I verified my testings, here are some more details:
The distribution is OpenSuSE Leap 15.5 with kernel 5.14.21-150500.55.62-default
First, the list of "normal" mountpoints don't even show some of the above mentioned (for example /bin, /etc/, /lib64)
mount |grep system
...
/dev/mapper/system-root on / type ext4 (rw,relatime)
/dev/mapper/system-usr on /usr type ext4 (rw,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=19098)
/dev/mapper/system-var on /var type ext4 (rw,relatime)
/dev/mapper/system-log on /var/log type ext4 (rw,relatime)
...
So I guess the mountpoints must be "modified" either by the system environment for users (this includes the nagios user) in general or specific by the nagios application environment for the nagios user. (sorry if use the wrong terms).
I just downgraded the nagios version without any other change:
zypper in --oldpackage nagios-4.4.6-bp154.1.35.x86_64.rpm nagios-www-4.4.6-bp154.1.35.x86_64.rpm nagios-contrib-4.4.6-bp154.1.35.x86_64.rpm
Repository-Daten werden geladen...
Installierte Pakete werden gelesen...
Paketabhängigkeiten werden aufgelöst...
Die folgenden 3 Pakete werden durch eine ältere Version ausgetauscht:
nagios nagios-contrib nagios-www
3 Pakete werden zurückgestuft.
Gesamtgröße des Downloads: 1,7 MiB. Bereits im Cache gespeichert: 0 B. Nach dem Vorgang werden 10,3 KiB freigegeben.
Backend: classic_rpmtrans
Continue? [j/n/v/...? zeigt alle Optionen] (j): j
Abrufen: nagios-4.4.6-bp154.1.35.x86_64 (Einfacher Cache für RPM-Dateien)
(1/3), 341,4 KiB
Abrufen: nagios-www-4.4.6-bp154.1.35.x86_64 (Einfacher Cache für RPM-Dateien) (2/3), 1,4 MiB
Abrufen: nagios-contrib-4.4.6-bp154.1.35.x86_64 (Einfacher Cache für RPM-Dateien) (3/3), 41,8 KiB
After the downgrade and the nagios restart, I injected again a "mount" command within the command_line for the
/usr/local/pnp4nagios/libexec/process_perfdata.pl --bulk=/usr/local/pnp4nagios/var/service-perfdata
As a result, the mountpoints are exactly the same as for the root user:
...
/dev/mapper/system-root on / type ext4 (rw,relatime)
/dev/mapper/system-usr on /usr type ext4 (rw,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=19098)
/dev/mapper/system-var on /var type ext4 (rw,relatime)
/dev/mapper/system-log on /var/log type ext4 (rw,relatime)
...
It appears to me that the readonly mountings for /usr, /etc, /bin, etc. within the environment/userspace of the nagios user are related to the nagios version 4.4.7.
Maybe it is realized in the code by a mechanism like fuser?
Re: Nagios core readonly filesystem (userspace) in/since release 4.4.7
Here is the changelog for 4.4.7
If you don't trust me you can go through the codebase https://github.com/NagiosEnterprises/nagioscore
Maybe there is something in there I'm missing
Code: Select all
4.4.7 - 2022-04-14
------------------
FIXES
* Fixed checkboxes in jsonquery.html (#778) (Rfferrao87)
* Added SSL support for version update check (Sebastian Wolf)
* Note: NEB modules using the priority/scheduling queues in libnagios may need to update headers due to symbol conflicts with OpenSSL.
* Fixed XSS in homepage when displaying update check results (Sebastian Wolf)
* Fixed allocation error in getcgi.c (#820) (Ariadne Conill)
* Fixed Error: NULL variable for lines of spaces in resource.cfg (#814) (Ralf Herrmann)
* Fixed crash when handling large check output (#825, #828) (Kilvador)
* Update packaging instructions for RPM/EPEL (#850) (T.J. Yang)
* Include packaging instructions for DEB (#842) (Catfriend1)
* Fixed CGI object processing when names end in \ (#819) (Sebastian Wolf)
* $SERVICEPROBLEMID$ now accessible when notifications are sent (#688) (Sebastian Wolf)
Maybe there is something in there I'm missing
-
naguser_edu
- Posts: 3
- Joined: Tue May 21, 2024 2:58 am
Re: Nagios core readonly filesystem (userspace) in/since release 4.4.7
Dear danderson,
I didn't mean to be rude, it has nothing to do with mistrust. But I don't quite understand why a mount command within the environment of the Nagios user under nagios-4.4.7-bp155.1.6.x86_64 shows the directories mentioned as readonly. Even if I start a normal bash shell with the nagios user, mount returns all the file systems as readwrite. I can't think of a reason for this. And the system behaves as usual when downgrading to nagios-4.4.6-bp154.1.35.x86_64 - without any other changes.
Maybe there are some adjustments to the code by the distribution developers for this package? That would explain the phenomenon.
Unfortunately, I do not know where such changes would be documented.
I have now adjusted the paths for the performance data and no longer use a folder below /usr. That makes it work with 4.4.7 again.
Unfortunately, the issue with the check_ro script remains.
I didn't mean to be rude, it has nothing to do with mistrust. But I don't quite understand why a mount command within the environment of the Nagios user under nagios-4.4.7-bp155.1.6.x86_64 shows the directories mentioned as readonly. Even if I start a normal bash shell with the nagios user, mount returns all the file systems as readwrite. I can't think of a reason for this. And the system behaves as usual when downgrading to nagios-4.4.6-bp154.1.35.x86_64 - without any other changes.
Maybe there are some adjustments to the code by the distribution developers for this package? That would explain the phenomenon.
Unfortunately, I do not know where such changes would be documented.
I have now adjusted the paths for the performance data and no longer use a folder below /usr. That makes it work with 4.4.7 again.
Unfortunately, the issue with the check_ro script remains.
Re: Nagios core readonly filesystem (userspace) in/since release 4.4.7
Upon skimming some of the patch files in 4.4.7 I didn't see anything. Do any other packages get upgraded/downgraded whenever you upgrade/downgrade?